• R6 should restrict access to the outside web servers for the users located on VLAN 67.
• Prior to being allowed to connect to a WWW server, a user should log in to the router using the name “ENABLE” and password of “CISCO”.
• The above procedure should only create an access-list entry for the IP address of the authenticated user.
• Alternatively, any user may connect to port 7001 of R6 and enter the password of “CISCO”.
• This procedure should enable any user on VLAN 67 and behind this VLAN to access the WWW servers.
• Close inactive connections after 5 minutes and do not allow sessions of more than 15 minutes in length.
• A user should be able to extend the maximum duration by logging into R6 repeatedly.
Configuration
R6:
no aaa new-model
!
! Enable absolute timeout extension
!
access-list dynamic-extended
!
! Access-list with dynamic entries
!
no ip access-list extended 100 ip access-list extended 100 permit tcp any any eq telnet permit tcp any any eq 7001 permit udp any any eq 520
dynamic ACCESS timeout 15 permit tcp any any eq 80 deny ip any any log
!
! Apply the access-list inbound
!
interface FastEthernet 0/0.67 ip access-group 100 in
!
! Note that password and autocommand are on separate lines
! This is because sometimes IOS thinks “autocommand” is a part
! of the password
!
username ENABLE password CISCO
username ENABLE autocommand access-enable host timeout 5
!
! First three lines authenticate users against local database
!
line vty 0 3 login local
!
! Dedicate a special line for line-based authentication
! This line could be accessed on port 7001 (7000+rotary group number)
!
line vty 4 rotary 1
password CISCO login
autocommand access-enable timeout 5
Verification
Note
Dynamic access-lists (also known as “lock and key”) allow special types of entries, activated using the CLI command access-enable. Until this command triggers the entries, they are inactive and the IOS ignores them while inspecting an access-list. The access-enable command unlocks the dynamic entries, hence the name.
Note that once you execute access-enable, it activates all dynamic entries in all access-lists. Commonly, the activation command is bound to a specific user or router-line using the auto-command syntax. This results in a specific user logging in to a router and enabling the dynamic access-list entries.
Dynamic access-list entries time out after some time. There are two timeouts defined for dynamic ACLS:
1) The inactivity timeout; you specify this timeout using the command access-enable timeout <TIMEOUT>. This timeout only applies when no packets match the entry for the specified amount of time. The default is no idle timeout (only absolute timeout).
2) Absolute timeout; you specify this timeout under the access-list entry, for example
access-list 100 dynamic <SOME_NAME> timeout <TIMEOUT> … This is the maximum amount of time that the entry may stay active. After this timeout expires, the user my log in and activate the command again. The default absolute timeout is infinite.
The common implementation of dynamic access-lists looks as follows:
1) Create an extended access-list (either named or numbered) and ensure it permits Telnet (or any other remote access method, for example SSH) to the local router. Populate the access-list with dynamic entries, but make sure it allows remote access to the router.
2) Apply the access-list inbound on the interface controlling user access.
Dynamic entries only work in the inbound direction, and you cannot use them in outbound ACLs.
3) Create a local user with autocommand access-enable or apply this
command to terminal lines (or a selected terminal line, using rotary groups). Tune the timeout values, if you need.
4) When a user wants to activate the set of access rules, he or she logs in via Telnet or SSH to the router and authenticates using name and password (or authenticates per the VTY line settings). After that, the auto-command triggers the dynamic ACL entries and terminates user connections immediately. Now the user may access outside resources per the activated dynamic rules.
By default, if you execute the command access-enable it activates the entry configured in the access-list. If you want to insert the source IP address of the user logging into the router, use the command access-enable host. This command replaces the source IP address specification (e.g. any) in the dynamic access-list entry with the IP address of the authenticated user.
Another special feature is absolute timeout extension. If you configure a global command access-list dynamic-extended, then a user configured with the access-enable auto-command may re-login to the router to extend the
absolute timeout by the value configured under the dynamic ACL entry. This allows session prolongation by a user, without terminating any existing connections.
Another option is a manual clear feature. It only works with numbered extended ACLs and allows an administrator to deactivate selected dynamic access-list entries manually. The command syntax is
clear access-template <ACL-NUMBER> <DYNAMIC-ENTRY-NAME>
<SRC-IP> <SRC-MASK> <DST-IP> <DST-MASK>
For example the following command:
clear access-template 100 TEST any 10.0.0.0 0.0.0.255 will clear any dynamic entry cloned from the above template. Note that you do not need to specify the “permit” or “deny” keyword or specify the protocol name.
For verification here, first telnet to R6 directly and log in as “ENABLE” user. This should activate the host entry in the access-list.
Rack1SW1#telnet 150.1.6.6 Trying 150.1.6.6 ... Open
User Access Verification
Username: ENABLE Password: CISCO
[Connection to 150.1.6.6 closed by foreign host]
Rack1R6#show ip access-lists Extended IP access list 100
10 permit tcp any any eq telnet (87 matches) 20 permit tcp any any eq 7001
30 permit udp any any eq rip (15 matches) 40 Dynamic ACCESS permit tcp any any eq www permit tcp host 155.1.67.7 any eq www 50 deny ip any any log
Now try connecting to the port allowed by the new dynamic entry. Note that as soon as you Telnet through, the inactivity timer starts (300 seconds).
Rack1SW1#telnet 150.1.4.4 80 Trying 150.1.4.4, 80 ... Open GET / HTTP/1.1
WWW-Authenticate: Basic realm="level_15_access"
401 Unauthorized
[Connection to 150.1.4.4 closed by foreign host]
Rack1SW1#
Rack1R6#show ip access-lists Extended IP access list 100
10 permit tcp any any eq telnet (87 matches) 20 permit tcp any any eq 7001
30 permit udp any any eq rip (24 matches) 40 Dynamic ACCESS permit tcp any any eq www
Now clear the access-template:
Rack1R6#clear access-template 100 ACCESS host 155.1.67.7 any Rack1R6#show ip access-lists 100 Extended IP access list 100
10 permit tcp any any eq telnet (87 matches) 20 permit tcp any any eq 7001
30 permit udp any any eq rip (57 matches) 40 Dynamic ACCESS permit tcp any any eq www 50 deny ip any any log
Try connecting to the rotary line (port 7001). As we remember, it enables the actual dynamic entry and does not insert the host IP address.
Rack1SW1#telnet 150.1.6.6 7001 Trying 150.1.6.6, 7001 ... Open
User Access Verification
Password: CISCO
[Connection to 150.1.6.6 closed by foreign host]
Rack1SW1#
Rack1R6#show ip access-list 100 Extended IP access list 100
10 permit tcp any any eq telnet
20 permit tcp any any eq 7001 (42 matches) 30 permit udp any any eq rip (6 matches) 40 Dynamic ACCESS permit tcp any any eq www permit tcp any any eq www
50 deny ip any any log (1 match)
As you can see now anyone can connect across the router to the HTTP port.
1
Pitfall
Note that you can have only one dynamic entry per access-list. In addition, if you are using dynamic ACLs with AAA enabled, make sure you configure local AAA exec authorization when you bind auto-commands to user names (or use the
“none” or “if-authenticated” methods if you bind the command to VTY lines).